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(54) Method and apparatus for recording of encrypted digital data 



(57) A method of recording transmitted digital data 
in which transmitted digital information CW 96 is 
encrypted 97 using a recording encryption key E(NE) 
98 and the resulting encrypted ECM message 99 stored 
on recording support medium. An equivalent of the 
recording encryption key E{NE) 100 is further encrypted 
by a recorcf ng transport key RT(A) 102 to form an EMM 
message 103 stored on the support medium together 
with the encrypted ECM message 99. 
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explained in further detail below, the transmitted infor- 
mation may be in some cases processed and/or reen- 
crypted by the decoder before being communicated to 
the recording means. 

[0015] The decoder means may itself be associated s 
with a portable security module used to store transmis- 
sion access control keys used to decrypt the transmitted 
encrypted information. In some embodiments, this n^y 
be distinct from the portable security module associated 
with the recording means. However, in the case of an io 
integrated decoder/recorder, for example, the same 
security module may be used to hold all keys. 
[0016] In one embodimeit. the recading encryption 
key and/or recording transport key function In accord- 
ance with a first encryption algorithm and the transmis- is 
sion access control keys function in accordance with a 
second encryption algorithm. 

[0017] For example, the recording encryption and 
transport keys may use the symmetric DES algorithm, 
whilst the transmission keys function in accordance with 20 
a customised algorithm, unique to the txoadcast access 
control system. This enat>les the system manager to 
retain control over the algorithm chosen for the trar^- 
mission keys whilst allowing a generic algorithm to be 
used for the keys relating to a recording. 2s 
[0018] In one embodiment, the recording transport 
key is generated at a central recording authorisation 
unit and a copy of this key communicated to the record- 
ing means. In the event of loss or destruction of the key 
support associated with the recording means a backup 30 
copy or at least the means to generate the the transport 
key will at all times be present at the central recording 
authorisation unit. 

[0019] For security reasons, the recording transport 
key is preferably encrypted by a further encryption key 35 
prior to being communicated to the recording means. 
This further encryption key may be based, for example, 
on an encryption key common to all recorder security 
modules diversified by the serial numt)er of the security 
module, such that only that security module can read 40 
the message. 

[0020] In the case where the system conprises a 
receiverAJecoder physically separate from the recording 
means it may be desirable for the recording means to 
possess the same access rights as the 45 
receiver/decoder, for example to permit the 
receiver/decoder to simply forward the data stream "as 
is' to the recorder for processing. 
[0021] Accordingly. In one embodimerrt, a central 
access control system communicates transmission so 
access control keys to a portable security module asso- 
ciated with the recording means. These may comprise, 
for example, a double of the keys normally held by the 
portable security nxxiule associated with the decoder 
and which are i^ed to descranrble trar^missions. ss 
[0022] In this embodiment the recording mear^ 
directly descrambles transmitted irrtonnation using the 
transmission access keys prior to re-encryption of the 



infonmation by the recording encryption key and storage 
on the suiport medium. 

[0023] In a similar manner as with the conrmunication 
of the transport key. the central access control system 
preferably encrypts the broadcast access control keys 
by a further encryption key prior to their conrmunication 
to the recording means. This further encryption key may 
equally connprise an audience key commcxi to all secu- 
rity modules diversified by the serial number of the 
recording means. 

[0024] In order to enable the central access control 
system to correctly identify the broadcast access keys 
that need to be tonvarded to the recording means, the 
recording means preferat^ly sends a request to the cen- 
tral access control system inducfing information kjentify- 
ing the broadcast access keys needed, the request 
being authentified by the recording means using a key 
unique to the recording means. This may correspond, 
for example, to the key used to encrypt communications 
from the central access control system to the recording 
means. 

[0025] In the above realisations of the inverrtion, a 
number of diverse embodiments have been described, 
in particular in which a central recording authorisation 
unit generates and maintains a copy of the recording 
transport keys and in which a central access control 
system sends a duplicate set of transmission access 
control keys to the recording means. Alternative embod- 
iments are possible. 

[0026] For example, in one embodiment connprising a 
decoder means and associated security module and a 
recording means and associated security nrKxlule. a 
copy of the recording transport key is stored in the secu- 
rity module associated with the decoder means. In this 
way, a backup key for decrypting a recording win always 
k>e availat)le even in the event of destruction or loss of 
the recorder security module. 
[0027] The recording transport key may be generated, 
for example, by the recording means security module 
and communicated to the decoder means security mod- 
ule or vice versa. For security reasons, the recording 
transport key is preferatrfy encrypted before communi- 
cation to the decoder security module and decrypted by 
a key unique to the security module receiving the 
recording transport key. 

[0028] This unique key and its equivalent may be 
embedded in the respective security nxxiules at the 
moment of their creation. However, altematively, the 
decoder security module and recording security module 
carry out a mutual authorisation process, the unique 
decryption key being passed to the other security mod- 
ule from the encrypting security module depending on 
the results of tiie mutual authorisation. 
[0029] tn one embodiment the nrujtual authorisation 
st^ is carried out using, inter alia, an audience key 
known to both security modules diver^ied by the serial 
rumber of each module. 

[0030] In a further development of this double security 
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recording support according to this second err^xxl- 
iment; and 

Rgure 20 shows communication between a 
decoder card and a recorder card. 5 

[0038] An overview of a digital television broadcast 
and reception system 1 is shown in Rgure 1 . The inven- 
tion includes a mostly conventional digital television 
system 2 which uses the MPEG-2 conpression system io 
to transmit compressed digital signals. In tmre detail. 
MPEG-2 compressor 3 in a broadcast centre receives a 
digital signal stream (for example a stream of audio or 
video signals). The corrpressor 3 is connected to a mul- 
tiplexer arKl saaml)ler 4 by linkage 5. The murtiplexer 4 is 
receives a plurality of further input signals, assembles 
one or more transport streams and transmits com- 
pressed digital signals to a transmitter 6 of the broad- 
cast centre via linkage 7, which can of course take a 
vwde variety of forms including telecom links. so 
[0039] The transmitter 6 transmits electromagnetic 
signals via uplink 8 towards a satellite transponder 9. 
where they are electronically processed and broadcast 
via a notional dcfwnlink 1 0 to earth receive 1 1 , converv 
tionally in the form of a dish owned or rented by the end 2S 
user. The signals received by receiver 1 1 are transmit- 
ted to an integrated receiver/decoder 12 owned or 
rented by the end user and connected to the end user's 
television set 13. The receiver/decoder 12 decodes the 
compressed MPEG-2 signal into a television signal for 30 
the television set 13. 

[0040] A conditional access system 20 is connected to 
the multiplexer 4 and the receiver/decoder 12. and is 
located partly in the broadcast centre and partly in the 
decoder. It enat^es the end user to access digital televi- 35 
sion broadcasts from one or more broadcast suppliers. 
A smartcard. capable of decrypting messages relating 
to commercial offers (that is. one or several television 
programmes sold by the broadcast supplier), can be 
inserted into the receiver/decoder 12. Using the 40 
decoder 12 and smartcard. the end user may purchase 
evertts in either a sutTscription nrxxle or a pay-per-view 
mode. 

[0041 ] An interactive system 1 7, also connected to the 
multiplexer 4 and the receiver/decoder 12 and again 45 
located partly in the broadcast centre and partly in the 
decoder, may be provkied to enable the end user to 
interact with various applications via a modemmed back 
channel 16. 

[0042] The conditional access system 20 will now be so 
desaibed in more detail. With reference to Rgure 2. in 
overview the conditional access system 20 includes a 
Sut>scriber Authorization System (SAS) 21 . The SAS 21 
is connected to one or wore Sut>scriber Management 
Systems (SMS) 22. one SMS for each broadcast sup* 55 
plier, by a respective TCP-IP linkage 23 (although other 
types of linkage couki alternatively be used). Attema- 
tively. one SMS coukl be shared between two broadcast 



suppliers, or one supplier could use two SMSs. and 
soon. 

[0043] Rrst encrypting units in the form of ciphering 
units 24 utilising "mother* smartcards 25 are connected 
to the SAS by linkage 26. Second encrypting units 
again in the form of ciphering units 27 utilising mother 
smartcards 28 are connected to the multiplexer 4 by 
linkage 29. The receiver/decoder 12 receives a portable 
security module, for example in the form of "daughter" 
smartcard 30. It is connected directly to the SAS 21 by 
Communications Servers 31 via the modemmed back 
channd 16. The SAS sends, amongst other things, sub- 
scription rights to the daughter smartcard on request. 
[0044] The smartcards contain the secrets of one or 
more commercial op^ators. The "mother" smartcard 
encrypts different kinds of messages and the "daughter" 
smartcards decrypjt the messages, rf they have the 
rights to do so. 

[0045] The first and second ciphering units 24 and 27 
comprise a rack, an electronic VME card with software 
stored on an EEPROM. up to 20 electronic cards and 
one smartcard 25 and 28 respectively, for each elec- 
tronic card, one card 28 for encryptir^ the ECMs and 
one card 25 for encrypting the EMMs. 
[0046] The operation of the conditional access system 
20 of the digital television system will now be described 
in more detail with reference to the various components 
of the television system 2 and the conditional access 
system 20. 

MuHiplexer and Scramt>ler 

[0047] With reference to Rgures 1 and 2. in the broad- 
cast centre, the digital audio or video signal is first com- 
pressed (or bit rate reduced), using the MPEG-2 
compressor 3. This compressed signal is then transmit- 
ted to the multiplexer and scrambler 4 via the linkage 5 
in order to be multiplexed with other data, such as other 
conpressed data. 

[0048] The scran^er generates a control word used 
in the scrambling process and included in the MPEG-2 
stream in the multiplexer. The control word is generated 
interr^lly arti enatsles the end user's integrated 
receiver/decoder 1 2 to descramble the programme. 
[0049] Access criteria, indicating how the programme 
is commercialised, are also added to the MPEG-2 
stream. The programme may be commercialised in 
either one of a number o1 "suljscription" modes and/or 
one of a number of "Pay Per View" (PPV) modes or 
events. In the sut>scription mode, the end user sub- 
scrik>es to one or more commercial offers, or 'bou- 
quets", thus getting the rights to watch every channel 
inskie those bouquets. In the preferred errixxfiment. up 
to 960 commercial offers may be selected from a bou- 
quet of (flannels. 

[0050] In the Pay Per View mode, the end user is pro- 
vided with the capability to purchase events as he 
wishes. Ths can be achieved by either pre-booking the 
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nal for onward transmission to television set 1 3. 

Subscriber Management System (SMS) 

[0062] A SiA)scriber Management System (SMS) 22 5 
irrcludes a database 32 vt^ch manages, amongst oth- 
ers, all of the end user files, commercial offers, sub- 
scriptions. PPV details, and data regarding &\6 user 
consumption and autfK)rization. The SMS may be phys- 
ically remote from the SAS. io 
[0063] Each SMS 22 transmits messages to the SAS 
21 via respective linkage 23 which imply modifications 
to or creations of Entitlement Management Messages 
(EMMs) to be transmitted to &Ki us&s, 
[0064] The SMS 22 also transmits messages to the is 
SAS 21 wtiich imply no modifications or creations of 
EMMs txrt imply only a change in an end user's state 
(relating to the authorization granted to the end user 
when ordering products or to the amount that the end 
user will be charged). 20 
[0065] The SAS 21 sends messages (typically 
requesting information such as call-back information or 
billing information) to the SMS 22. so that it will be 
apparent that communication between the two is two- 
way 25 

Subscriber Authorization System (SAS) 

[0066] The messages generated by the SMS 22 are 
passed via linkage 23 to the Subscriber Authorization 30 
System (SAS) 21. which in turn generates messages 
acknowledging receipt of the messages generated by 
the SMS 21 and passes these acknowledgements to 
the SMS 22. 

[0067] In overview the SAS comprises a Suk)Scription 35 
Chain area to give rights for subscription mode and to 
renew the rights automatically each month, a Pay Per 
View Chain area to give rights for PPV events, and an 
EMM Injector for passing EMMs created by the SiAy 
sermon and PPV chain areas to the multiplexer and 40 
scrambler 4, and hence to feed the MPEG stream with 
EMMs. If other rights are to be granted, such as Pay Per 
nie (PPF) rights in the case of downloading computer 
software to a user's Personal Computer, other similar 
areas are also provided. 45 
[0068] One function of the SAS 21 is to rmnage the 
access rights to television programmes, avaiiat>le as 
commercial offers in sii>scription mode or sokJ as PPV 
events according to different modes of commercialisa- 
tion (pre-book mode, irrpulse mode). The SAS 21, so 
according to those rights and to information received 
from the SMS 22, generates EMMs for the sut^scrber. 
[0069] The EMMs are passed to the Ciphering Unit 
(CU) 24 for ciphering with r^ect to the managemert 
and exploitation keys. The CU completes the signature ss 
on the EMM and passes the EMM back to a Message 
Generator (MG) in the SAS 21. where a header is 
added. The EMMs are passed to a Message Emitter 



(ME) as complete EMMs. The Message Generator 
determines the broadcast start and stop time and the 
rate of emission of the EMMs. and passes these as 
appropriate directions along with the EMMs to the Mes- 
sage Emitter. The MG only generates a given EMM 
once; it is the ME wrhich performs cyclic transmission of 
the EMMs. 

[0070] On generation of an EMM, the MG assigns a 
unique identifier to the EMM. When the MG passes the 
EMM to the ME, it also passes the EMM ID. This ena- 
bles identification of a particular EMM at both the MG 
and the ME. 

[0071] In systems such as simulaypt which are 
adapted to handle multiple conditional access systems 
eg. associated with multiple operators, EMM streams 
associated with each conditional access system are 
generated separately and multiplexed together by the 
multiplexer 4 prior to transmission. 

Encryption Levels of the System 

[0072] Referring now to Figure 3. a simplified outline 
of the encryption levels in the broadcast system will now 
be described. The stages of encryption associated with 
the broadcast of the digital data are shown at 41, the 
transmission channel (eg a satellite link as described 
above) at 42 and the stages of decryption at the 
receiver at 43. 

[0073] The digital data N is scrambled by a control 
word CW before being tiansmitted to a multiplexer Mp 
for subsequent transmission. As will be seen from tiie 
lower part of Rgure 3. the transmitted data includes an 
ECM comprising, inter alia, the control word CW as 
encrypted by an encrypter Chi controlled by a first 
encryption Kex. At the receiver/decoder, the signal 
passes by a demuttiplexer DMp and descrambler D 
t>efore t>eing passed to a television 2022 for viewing. A 
decryption unit DChI also possessing the key Kex 
decrypts tiie ECM in the demultiplexed signal to obtain 
tiie control word CW sut>sequentiy used to descramble 
tiie signal. 

[0074] For security reasons, the control word CW 
^nbedded in the encrypted ECM changes on average 
every 10 seconds or so. In contrast, the first encryption 
key Kex used by the receiver to decode the ECM is 
changed every month or so by means of an operator 
EMM. The encryption key Kex is encrypted by a second 
unit ChP using a personaGsed group key K1(GN). If tiie 
sut^scrft^er is one of those chosen to receive an updated 
key Kex, a decryption unit DChP in the decoder wilt 
decrypt the m^sage using its group key K1(GN) to 
obtain that month's key Kex. 

[0075] The decryption units DChp and DCh1 and the 
associated keys are held on a smart card provided to 
the subscnt>er and inserted in a smart card read^ in the 
decoder. The keys may be generated, for example, 
according to any generaOy used symmetric key algo- 
rithm or in accordance with a cust(»nised symmetric key 
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are more usually created by means of a special trans* 
mitted EMM message at the start up of a decode*. 
[0088] As mentioned atxTve, the operator keys may 
typically include a KG* diversified by a number NS 
unique to that card, a group key K1* diversified by a 
group number GN and an audience key K2* diversified 
by a constant Z and conunon to all sut>saiber card 
addressed by that operator. 

[0089] Finally, the smart card includes the value of the 
unique numt>er NS of that card, inplanted at the 
moment of personaOsation and held In the zone 57 of 
the smart card memory. 

[0090] As is shown, the SIM card 52 associated with 
the digital recorder induies two sections 58. 59 associ- 
ated with keys and operations carried out using the CA 
and DES algorithms, respectively. The section 59 asso- 
ciated with operations using the CA algorithm includes a 
first system manager zone 60 and an operator zone 61. 
The keys in the system manager zone are inplanted in 
the card at the nroment of personalisation by the condi- 
tional access system manager and include a key KO 
diversified by the serial number NSIM of the SIM card 
as well as a communications transport key T also diver- 
sified by the serial number NSIM of the card. Both keys 
are unique to the SIM card in question. 
[0091 ] The SIM card further includes an operator zone 
61 adapted to store keys associated with one or more 
operators. In the present Figure 5. the SIM card is 
shown as it is at the moment of its aeation and person- 
alisation by the conditional access system manager and 
before insertion in a recorder. For this reason, both the 
operator zone 61 and the DES zone 58 are shown as 
blank, i.e. without any stored keys. 
[0092] Finally, the SIM card includes a zone 63 
adapted to hold the unique SIM card serial number 
NSIM. 

[0093] As mentioned above, in this embodiment, the 
recorder SIM card 52 is adapted to handle the real time 
decryption and descramt)ling of broadcast data autono- 
mously and independent of the smart card 30 associ- 
ated with the decoder. In order to carry out these 
operations, it is necessary for the recorder SIM card 52 
to possess a double of the keys usually held in the sys- 
tem manager and operator zones 55, 56 d the decoder 
smart card (see Rgure 5). As will be described, once 
the necessary keys are installed in the recorder SIM 
card 52. the decoder 12 will thereafter pass the broad- 
cast transmission stream "as is" to the digital recorder 
50 and card 52. 

[0094] In this enit)odiment, the generation of duplicate 
broadcast related keys is managed by the central cond'h 
tional access system 21 . the cfigital recorder 50 acting to 
transmit a request to the appropriate server. e.g. via the 
modem link provided fciy the decoder 12. Atternativety. it 
may be envisaged that the recorder itself will be 
equipped with a modem to carry out this request In this 
enrtx)diment, the central concfitional access system 
serves to regulate both transmission access control 



keys and. as will be described recording access control 
keys 

[0095] In order to enable the central corxlitional 
access system server to generate a double of the keys 

5 associated with the decoder smart card it is necessary 
that the request message from the recorder SIM card 
includes an identification of the identity of the decoder 
smart card (e.g. the smart card serial numt)er NS) as 
well as providing secured conf imnation of its own iden- 

10 tity. 

[0096] As a first step therefore, the decoder smart 
card 30 communicates its serial number NS ard a Kst of 
operators Opi. Op2 etc. to the SIM card 52. For rea- 
sons of security, this communication may itself be 

15 encrypted by a sinple transport enayption algorithm 
applied to all comnrunications between the decoder 12 
and recorder 50. To avoid unnecessary complexity in 
the Rgures, the keys assodated with this encryption are 
not shown. The decider card serial number NS is then 

so stored in the system manager zone of the SIM card. 
[0097] The recorder SIM card 52 then sets up a com- 
munication with the conditional access system 21 and 
requests the unique number NMERE of the conditional 
access system 21 at the conditional access server (see 

25 Rgure 2). Using tiie information thus obtained, the 
recorder SIM card 52 generates a message using the 
CA algorithm, as shown in Fig. 6. 
[0098] In the convention adopted in the acconpanying 
drawings, tiie symmetric algoritiim to be used in a given 

30 cryptographic step (CA or DES) is identified within an 
cval. The data to be encrypted and/or the data sen«ng 
as a diversifier is identified as arriving via a blacked out 
input to ttie oval. See the encryption of the smart card 
number and ope-ator list at 70 in Rgure 6. Decryption 

35 Steps are distinguished using an inverse power sign, for 
example CA"^ or DES'^ 

[0099] As a first step in Rgure 6. the smart card 
number NS and operator list are encrypted by tiie key 
KO (NSIM) as shown at 70 to generate a message 71 

40 comprising the SIM card serial numb^ NSIM and the 
encrypted data. At a second step 72. the encrypted data 
is again re-encrypted by the key T (NSIM, NMERE), 
aeated by diversifying the key T (NSIM) by a unique 
value NMERE associated with the concfitional access 

45 system. As will be understood, the steps 70, 71 may be 
carried out in the inverse order. The message 73 arxi 
signature thus formed are then sent to the conditional 
access server 21 , ciphering unit 24 and mother card 25. 
[01 00] The conditional access system 21 decrypts the 

50 message as shown in Rgure 7. The system possesses 
the original key KO shown at 76. Diversifying the key KO 
with the NSIM value contained in the message, as 
shown at 77. generates the key KO (NSIM). ITie key KO 
(NSIM) ^ first used to validate the signature at 78. In the 

55 e^ent that the signature is not valid, the analysis of the 
message encte, as shown at 81 . 
[01 01 ] In addition to the key HD, the system also pos- 
sesses the transport k^ T or at least the key T 
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that the recorder SIM card contains a duplicate of the 
necessary operator keys to ind^erejerrtly decrypt and 
desaamble a real time transmission. The second 
embodiment, described below in Rgures 12 to 19 does 
not suffer from these constraints, but desait>es a reali- 
sation in which the decoder smart card plays a more 
important role. 

Second Embodiment 

[01 14] Refening to Figure 1 2, the structure of the con- 
ditional access zones in the decoder smart card 30 and 
recorder SIM card 52 in such a system are shown. As 
before, both cards Include zones reserved for opera- 
tions using the CA algorithm and storage of key data, in 
particular systOTi manager zones 55, 60 and operator 
zones 56, 61. 

[0115] In the present embodiment, the system man- 
ager zone 55 of the decoder card 30 includes, in addi- 
tion to the key KO (NS), an audience key K1 (C) 
common to all cards personalised and managed by the 
system nnanager and formed by the diversification of a 
CA key by a constant value C. This key K1 (C) is also 
present in the system management zone 60 of the 
recorder card 52. 

[0116] The other signrfK^ant change in comparison 
with the zone structure of the previous emtxxJiment Is 
that the smart card 30 is additionally provided with the 
DES algorithm and includes a DES operating zone 120. 
[01 1 7] In order to enable the decoder smart card and 
recorda- SIM card to work together and. in particular, to 
enable the eventual generation of a recording transport 
key TR, it is necessary for a mutual authentification of 
both cards to be carried out. 

[0118] As shown in Figure 13. as a first step 121 the 
recorder SIM card 52 requests a random number from 
the decoder smart card 30 which returns the number A1 
at 122. This number is then used to diversify the audi- 
ence key K1 (C) at step 123 to generate the key K1 (C, 
A1) shown at step 124. The SIM card then generates a 
second random number A2 shown at 125, which is in 
turn encrypted by the key K1 (C. A1) at 126. Before 
comnuinication to the smart card, this message is again 
encrypted and signed at 128 by a second key K1 (C. 
NSIM) shown at 127 and formed by diversifying the 
audience key K1 (C) by the value NSIM. The message 
129 thus formed is sent as a request for serial number 
NS and associated individual key KO(NS) to the 
decoder smart card 30. 

[01 1 9] Referring to Rgure 1 4, on arrival at the decoder 
smart card 30, the communicated value NSIM is used 
by the smart card to generate the key K1 (C. NSIM). The 
value of A2 is th&i deaypted at 130 using thus key and 
the key K1 (C, A1) obtained by the smart card using the 
random number A1 that rt had previously generated and 
stored in its memory. 

[01 20] This random number value A2 obtained at 1 31 
is then used to diversify the audience key K1 (C) to 



obtain the key K1 (C, A2) shown at 132. The key K1 (C, 
A2) thai encrypts the smart card unique seial nunrt>er 
NS and system key KO (NS) at 133 to aeate the mes- 
sage 134. 

5 [01 21 ] As before, this message is then re-encrypted at 
135 using the key K1 (C. NSIM) shown at 136 and the 
message retumed to the recorder SIM card 52 as 
shown at 137. 

[01 22] The recorder SIM card generates the keys K1 

10 (C, A2) and K1 (C. NSIM) shown at 138 by diversifying 
the key Kl (C) by the NSIM serial number and the pre- 
viously generated and memorised random number A2. 
These keys are used to decrypt at 139 the messages so 
as to obtain the unk^ue serial number NS arxj unique 

75 system manager key KO (NS) of the smart card, tfiis 
information thereafter t>eing recorded in the memory of 
the recorder SIM card at 140. 
[01 23] Unlike the previous embodiment, in which dou- 
bles of all system manager and operator keys were 

20 taken to ensure independent operation of the recorder 
SIM card, the double key KO (NS) and the smart card 
serial number NS are used to set up a session key for 
recording and to enable secure communication 
between the cards during a recordng session, notably 

25 to enable secure communication of a recording trans- 
port key 

[01 24] In this anbodiment. the initial decryption of the 
CW is handled by the smart card using the operator 
keys and monthly exploitation keys that it possesses. 
30 Whilst it is conceivable that the control word CW could 
be passed directly to the SIM card during the creation of 
a recording it is desirable for security reasons to use a 
session key to transport the control word CW for this 
purpose. 

35 [0125] Rgure 15 shows one way of creating such a 
key As shown, the recorder SIM card picks a random 
key K3 shown at 1 41 and diversifies this key at 1 42 with 
the SIM card serial number NSIM shown at 143. The 
key K3 may be taken from any one of a number of such 

40 keys stored lor this purpose in the system manager 
zone. The CA session key K3 (NSIM) thus created at 
144 is then encrypted at 145 using the previously 
obtained snart card system manager key KO (NS) 
shown at 146. The message 147 thus generated is 

45 thereafter transmitted to the decoder smart card 55 
which uses its key KO (NS) to deaypt the message at 
148 and store the session key K3 (NSIM) in the menrx)ry 
of the card at step 149. 

[01 26] Refemng to Figure 1 6, the state of the recorder 
50 SIM card prior to a recording operation will now be 
descril>ed. The system manager zone 60 includes the 
smart card key KO (NS) and the session key K3 (NSIM) 
as well as the normally present system keys KO (NSIM) 
etc. (not shown). In addition, the card aeates a DES 
55 recording encryption key from a DES key E shown at 
150 by diversifying this key at 151 by a random value 
NE shown at 152. As before, the resulting recording 
encryption key E (NE) vWII be i^ed in the re-encryption 
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usable to descrarr^e a scrarr^ed data transmis- 
sion also recorded on the support medium. 

3. A method as claimed in claim 1 or 2 in which the 
recording encryption key (E(NE)) and/or recording s 
trarsport key (RT(A)) are stored on a portatjie 
security module (52) associated with the recording 
means (50). 

4. A method as claimed in any preceding daim in io 
which the transmitted information is encrypted prior 

to transmission and received by a decode means 
(12) before being communicated to the recording 
means (50). 

IS 

5. A method as claimed in claim 4 in which the 
decoder (50) is associated with a portable security 
module (30) used to store transmission access con- 
trol keys (KO(NS). K0'(Op1.NS) etc.) used to 
decrypt the transmitted encrypted irTformation. 20 

6. A method as claimed in claim 5 in which the record- 
ing encryption key (E(NE)) and/or recording trans- 
port key (RT(A)) function in accordance with a first 
encryption algorithm (DES) arxJ the transmission 25 
access control keys (KO(NS). K0XOp1.NS)etc.) 
function in accordance with a second encryption 
algorithm (CA). 

7. A method as claimed in any preceding daim in 30 
which the recording transport key (RT(A)) is gener- 
ated at a certtral recording authorisation unit 

(21 ,24,25) and a copy of this key communicated to 
the recording means (50). 

35 

8. A method as claimed in claim 7 in which the record- 
ing transport key (RT(A)) is preferably encrypted by 
a further encryption key (KO(NSIM)) prior to being 
communicated to the recording means (50). 

40 

9. A method as daimed in any preceding daim in 
which a central access control system (21,24.25) 
comnruinicates transmission access control keys 
(KO(NS), KOXOpI ,NS) etc.) to the recording means 
(50). 45 

10. A method as claimed in claim 9 in which the trans- 
mission access control keys (KO(NS). K0'(Op1,NS) 
etc.) are communicated to a portable security mod- 
ule (52) associated with the recording means (50). so 

11. A method as daimed in claim 9 or 10 in which the 
recordng means (50) directly descran^les trans- 
mitted information using the transmission access 
keys (KO(NS). KOXOpI .NS) etc.) prior to re-encryp- ss 
tion of the information by the recording encryption 
key (E(NE)) and storage on the support medium. 



12. A method as daimed in any of daims 9, 10 or 1 1 in 
which the central access control system (21, 24. 
25) preferably encrypts the broadcast access con- 
trol keys (KO(NS). KOXOpl.NS) etc.) by a firther 
encryption key (KO(NSIM)) prior to their communi- 
cation to the recording means (50). 

13. A method as daimed in any of daims 9 to 12 in 
which the recording means (50) sends a request to 
the central access control system induding infor- 
nration identifying the broadcast access keys 
needed (KO(NS). KOXOpl.NS) etc.). the request 
being authentified by the recording means (50) 
using a key (KO(NSIM)) unique to that recording 
means. 

14. A method as daimed in daim 1 using a decoder 
means (12) ard assodated security module (30) 
and a recording means (50) and assodated secu- 
rity module (52) and in which a copy of the record- 
ing transport key (RT(A)) is stored in the security* 
module (30) assodated with the decoder means 
(12). 

15. A method as daimed in claim 14 in which the 
recording transport key (RT(A)) is generated by the 
recording security module (52) or decoder security 
OKXlule (30) and communicated to the other secu- 
rity nxxiule. 

16. A method as daimed in daim 15 in which the 
recording transport key (RT(A)) is preferably 
encrypted before communication to the other secu- 
rity module and decrypted by a key unique 
(KO(NS)) to that other security module. 

17. A method as daimed in claim 16 in which the 
decoder security module (30) and recording secu- 
rity nrKXlule (52) cany out a mutual authorisation 
process, the unique decryption key (KO(NS)) being 
passed to the other security module from the 
encrypting security module depending on the 
results of the mutual authorisation. 

ia A method as daimed in daim 17 in which the 
nuitual authorisation step is carried out using, inter 
alia, an audience key K1(C) known to both security 
modules (30.52) diversified by the serial number 
(NS, NSIM) of each module. 

19. A method as daimed in any of daims 14 to 18 in 
which the decoder security n^ule (30) possesses 
transmission access contrd keys (KO(NS) , 
KO'(Opl.NS) etc.) to decrypt the transmitted infor- 
mation in an encrypted form and a session key 
(K3(NSIM)) re-»icrypt the information prior to com- 
nunication to the recording security module (52). 
the recording security module (52) possessing an 
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Fig.8. 
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